Last week, the Office of Civil Rights (OCR) issued guidance on securing end-to-end communications for sensitive information transmitted between parties over the internet. The OCR warns against “man-in-the-middle” (MITM) attacks that can occur during the transmission of information. In a MITM attack, a third party intercepts communications between two parties and, in addition to accessing

HIPAA enforcement has been on the rise during the last several years, and the dollar impact of those settlements has continued to grow significantly. The Department of Health and Human Services, Office of Civil Rights (OCR) announced a record number of enforcement actions in 2016, including reaching its largest settlement to date in August 2016

The Department of Health and Human Services Office for Civil Rights (OCR) issued long-anticipated guidance to help covered entities and their business associates — including cloud service providers (CSPs) — comply with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

Generally, OCR clarifies that a CSP is considered a business associate and therefore regulated under HIPAA when a covered entity or its business associate engages that CSP to create, receive, maintain or transmit electronic protected health information (ePHI) on its behalf, even if the CSP does not have an encryption key and cannot actually view the ePHI.

For these “no-view services,” OCR has determined that encryption and inability to access are insufficient measures to address all of the security concerns under the HIPAA Security Rule. Indeed, the other key considerations — integrity and availability — are directly relevant to CSPs, regardless of their ability to access the ePHI they maintain. Squarely addressing the justification that many CSPs used to assert that they should not be considered business associates, OCR expressly states that the “conduit” exception does not apply to CSPs, as it is available only for PHI that is “transient” in nature. Thus, for these key reasons, CSPs are considered business associates and are subject to direct liability under HIPAA.

A CSP must meet applicable HIPAA requirements, such as proper internal controls and breach response procedures. This also means that there must be a HIPAA-compliant business associate agreement (BAA) in place covering the arrangement. Consistent with this, OCR previously entered into a settlement agreement with a covered entity for $2.7 million and a corrective action plan because the covered entity stored ePHI on a cloud-based server without entering into an appropriate BAA.

OCR issued other specific points of guidance with respect to cloud computing, including the following:
Continue Reading The Cloud Grounded: Cloud Hosts Are Business Associates Under HIPAA Security Rule

While much of Washington, D.C. is enjoying the slow and hazy days of summer, the Federal Trade Commission (FTC) is staying busy solidifying its presence as the go-to authority for data security. Most recently, on July 29, 2016, the FTC issued a unanimous Opinion and Final Order against LabMD, Inc., for its unreasonable data security

Look no further than the last three weeks for proof that HIPAA enforcement is on the rise.

Failure to maintain the security of information systems containing patient information has cost healthcare providers over $10 million in recent settlements of alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). The Department of Health and

Ransomware attacks appear to be increasing in frequency as well as severity. Ransomware is malicious software that encrypts data until a ransom is paid to the hacker. For healthcare providers, the inability to access electronic health records systems due to a ransomware attack is a disaster scenario. While the decision whether to pay a ransom

On June 30, 2016, the Health and Human Services Office for Civil Rights (OCR) announced the first-ever settlement of Health Insurance Portability and Accountability Act (HIPAA) claims against a business associate. According to the settlement agreement, an OCR investigation found that Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), a nonprofit corporation that

Despite the issuance of the Omnibus Final Rule in 2013, HIPAA enforcement activity has remained relatively light—until recently. Indeed, compared to just a few settlements a year for the first decade that HIPAA was in force, from September 2015 through April 2016, HIPAA settlements have been coming out at a pace of more than one

PRIVACY STETHOSCOPEThe omnibus appropriations legislation that Congress passed last week contained a variety of health-related provisions. These provisions include rescinding funding for the Independent Payment Advisory Board (IPAB), deficit-neutral language related to risk corridor payments and cybersecurity.

Within a title dealing with cybersecurity issues, including within the federal government, section 405 requires the Department of Health